Incident-centered information security: Managing a strategic balance between prevention and response

Åhlfeldt, 2007, 73 Albright, 2010, Detecting and disrupting illicit nuclear trade after AQ Khan, The Washington Quarterly, 33, 85, 10.1080/01636601003673857 Antunes, 2010, Vulnerability discovery with attack injection, IEEE Transactions on Software Engineering, 36, 357, 10.1109/TSE.2009.91 Argyris, 1977, Double loop learning in organizations, Harvard Business Review, 55, 115 Bahill, 2009, An industry standard risk analysis technique, Engineering Management Journal, 21, 16, 10.1080/10429247.2009.11431841 Baskerville, 1988 Baskerville, 1991, Risk analysis: an interpretive feasibility tool in justifying information systems security, European Journal of Information Systems, 1, 121, 10.1057/ejis.1991.20 Baskerville, 2005, Warfare: a comparative framework for business information security, Journal of Information Systems Security, 1, 23 Berghel, 2007, Better-than-nothing security practices, Communications of the ACM, 50, 15, 10.1145/1278201.1278222 Boyer, 2008, Ideal based cyber security technical metrics for control systems, 246 Bradbury, 2010, Shadows in the cloud: Chinese involvement in advanced persistent threats, Network Security, 2010, 16, 10.1016/S1353-4858(10)70058-1 Brand, 2007 Carr, 2013 Cassini, 2008, Laws and regulations dealing with information security and privacy: an investigative study, International Journal of Information Security and Privacy, 2, 70, 10.4018/jisp.2008040105 Chow, 2009, Determinants of the critical success factor of disaster recovery planning for information systems, Information Management & Computer Security, 17, 248, 10.1108/09685220910978103 Darke, 1998, Successfully completing case study research: combining rigour, relevance and pragmatism, Information Systems Journal, 8, 273, 10.1046/j.1365-2575.1998.00040.x Denning, 1999 Ekmekci, 2010, Agility in higher education: planning for business continuity in the face of an H1N1 pandemic, SAM Advanced Management Journal, 75, 20 Fink, 2010, Information technology outsourcing through a configurational lens, The Journal of Strategic Information Systems, 19, 124, 10.1016/j.jsis.2010.05.004 Furnell, 2000, A conceptual architecture for real-time intrusion monitoring, Information Management & Computer Security, 8, 65, 10.1108/09685220010321317 Hagen, 2009, Human relationships a never-ending security education challenge?, IEEE Security & Privacy, 7, 65, 10.1109/MSP.2009.92 Hanseth, 2010, Design theory for dynamic complexity in information infrastructures: the case of building internet, Journal of Information Technology, 25, 1, 10.1057/jit.2009.19 Hu, 2011, Does deterrence work in reducing information security policy abuse by employees?, Communications of the ACM, 54, 54, 10.1145/1953122.1953142 Huberman, 2002 ISECOM, 2012 ISO/IEC, 2013 Issac, 2007, War driving WLAN security issues-attacks, security design and remedies, Information Systems Management, 24, 289, 10.1080/10580530701585831 Jajodia, 1999, Trusted recovery, association for computing machinery, Communications of the ACM, 42, 71, 10.1145/306549.306580 Jensen, 2010, Cyber warfare precautions against the effects of attacks, Texas Law Review, 88, 1533 Kendall, 2005, Understanding disaster recovery planning through a theatre metaphor: rehearsing for a show that might never open, Communications of the Association for Information Systems, 16, 1001 Kephart, 1993, Computers and epidemiology, IEEE Spectrum, 30, 20, 10.1109/6.275061 Kim, 2012, Possibility-based ERM, Cutter IT Journal, 25, 11 Lai, 2008, Java insecurity: accounting for subtleties that can compromise code, IEEE Software, 25, 13, 10.1109/MS.2008.9 Landoll, 2006 Leonardi, 2011, When flexible routines meet flexible technologies: affordance, constraint, and the imbrication of human and material agencies, MIS Quarterly, 35, 147, 10.2307/23043493 March, 1991, Exploration and exploitation in organizational learning, Organization Science, 2, 71, 10.1287/orsc.2.1.71 Markus, 1988, Information technology and organizational change: causal structure in theory and research, Management Science, 34, 583, 10.1287/mnsc.34.5.583 Martin, 2009 Page, 2003, Evaluating security in software agent systems using a security analysis tool Parker, 1981 PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, Version 2.0, Retrieved on February, 2013 from PCI Security Standards Council (2010), https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf. Resca, 2013, Digital platforms as sources for organizational and strategic transformation: a case study of the midblue project, Journal of Theoretical and Applied e-Commerce Research, 8, 71 Richardson, 2010 Siponen, 2006, Six design theories for IS security policies and guidelines, Journal of the Association for Information systems, 7, 445, 10.17705/1jais.00095 Siponen, 2009, Information security management standards: problems and solutions, Information & Management, 46, 267, 10.1016/j.im.2008.12.007 Sood, 2012, Cybercrime dissecting the state of underground enterprise, IEEE Internet Computing, 17, 60, 10.1109/MIC.2012.61 Spagnoletti, 2011, Exploring the interplay between floss adoption and organisational innovation, Communications of the Association for Information Systems, 29, 279 Spagnoletti, 2008, The duality of information security management: fighting against predictable and unpredictable threats, Journal of Information System Security, 4, 46 Stephenson, 2004, Managing digital incidents – a background, Computer Fraud & Security, 2004, 17, 10.1016/S1361-3723(05)70186-X Tong, 2003, Implementation of ISO17799 and BS7799 in picture archiving and communication system: local experience in implementation of BS7799 standard Tsohou, 2008, Process-variance models in information security awareness research, Information Management & Computer Security, 16, 271, 10.1108/09685220810893216 Verizon Risk Team, 2012 Walsham, 1995, Interpretive case studies in IS research: nature and method, European Journal of Information Systems, 4, 74, 10.1057/ejis.1995.9 Walsham, 2006, Doing interpretive research, European Journal of Information Systems, 15, 320, 10.1057/palgrave.ejis.3000589 Ward, 2009, Recognizing the impact of E-discovery amendments on electronic records management, Information Systems Management, 26, 350, 10.1080/10580530903245721 Werlinger, 2010, Preparation, detection, and analysis: the diagnostic work of IT security incident response, Information Management & Computer Security, 18, 26, 10.1108/09685221011035241 Willison, 2010, The expanded security action cycle: a temporal analysis ‘Left of Bang’ Willison, 2013, Beyond deterrence an expanded view of employee computer abuse, MIS Quarterly, 37, 1, 10.25300/MISQ/2013/37.1.01 Yin, 2009